Add CRLDistributionPoints to leaf certificate

toc-rox · November 2, 2019, 6:24am

A standard letsencrypt leaf certificate has an OCSPServer field but no CRLDistributionPoints field. The CRLDistributionPoints field is given in the intermediate certificate (issuer of leaf certificate). That makes it difficult to verify the CRL, because the CRL is signed by the issuer of the intermediate certificate which isn’t present in the certificate chain.

Feature request: add CRLDistributionPoints to leaf certificate

A typical cert chain makes it clear:

CERTIFICATE DETAILS ...
SignatureAlgorithm       : SHA256-RSA
PublicKeyAlgorithm       : RSA
Version                  : 3
SerialNumber             : 299760584395680137105513467069717201743597
Subject                  : CN=www.freizeitkarte-osm.de
Issuer                   : CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
NotBefore                : 2019-09-12 22:18:26 +0000 UTC (valid for 90 days)
NotAfter                 : 2019-12-11 22:18:26 +0000 UTC (expires in 39 days)
KeyUsage                 : 5 (101, KeyEncipherment, DigitalSignature)
ExtKeyUsage              : ServerAuth, ClientAuth
IsCA                     : false
DNSNames                 : www.freizeitkarte-osm.de
OCSPServer               : http://ocsp.int-x3.letsencrypt.org
IssuingCertificateURL    : http://cert.int-x3.letsencrypt.org/
PolicyIdentifiers        : 2.23.140.1.2.1 (domain validation), 1.3.6.1.4.1.44947.1.1.1
SubjectKeyId             : 374cafefa428e297718071c6b6a8168bc49a4b02
AuthorityKeyId           : a84a6a63047dddbae6d139b7a64565eff3a8eca1

CERTIFICATE DETAILS ...
SignatureAlgorithm       : SHA256-RSA
PublicKeyAlgorithm       : RSA
Version                  : 3
SerialNumber             : 13298795840390663119752826058995181320
Subject                  : CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Issuer                   : CN=DST Root CA X3,O=Digital Signature Trust Co.
NotBefore                : 2016-03-17 16:40:46 +0000 UTC (valid for 1826 days)
NotAfter                 : 2021-03-17 16:40:46 +0000 UTC (expires in 501 days)
KeyUsage                 : 97 (1100001, CRLSign, CertSign, DigitalSignature)
IsCA                     : true
OCSPServer               : http://isrg.trustid.ocsp.identrust.com
IssuingCertificateURL    : http://apps.identrust.com/roots/dstrootcax3.p7c
CRLDistributionPoints    : http://crl.identrust.com/DSTROOTCAX3CRL.crl
PolicyIdentifiers        : 2.23.140.1.2.1 (domain validation), 1.3.6.1.4.1.44947.1.1.1
SubjectKeyId             : a84a6a63047dddbae6d139b7a64565eff3a8eca1
AuthorityKeyId           : c4a7b1a47b2c71fadbe14b9075ffc41560858910

Osiris · November 2, 2019, 7:45am

Why would Let’s Encrypt add a CRLDistributionPoints field when the do not operate an CRL for their leaf certificates?

toc-rox · November 4, 2019, 10:43am

You are right. This feature request doesn’t makes sense and can be closed.

stevenzhu · November 4, 2019, 4:27pm

That CRL is used to verify the status of the intermediate certificate, and since Let’s Encrypt (currently) only operates OCSP for leaf certificates, there’s no need to use CRL (since it won’t be accessible because nothing is running it)

system · December 4, 2019, 4:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.